Scribd
Upload
433 views33 pages

(V 0.0.1) Email Intelligence

This document discusses email intelligence techniques. It provides an overview of the email intelligence workflow, which begins with validating an email and searching for information about the owner, gathering relevant information from other sources like SMTP checks, provider services, social networks, WHOIS lookups, and SSL certificates. The document then covers some of these techniques in more detail, such as how to use SMTP checks and APIs from email providers to gather additional information. It also presents some tools that can be used for email intelligence gathering from social networks and providers.

Uploaded by

Kevin Mejia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
433 views33 pages

(V 0.0.1) Email Intelligence

This document discusses email intelligence techniques. It provides an overview of the email intelligence workflow, which begins with validating an email and searching for information about the owner, gathering relevant information from other sources like SMTP checks, provider services, social networks, WHOIS lookups, and SSL certificates. The document then covers some of these techniques in more detail, such as how to use SMTP checks and APIs from email providers to gather additional information. It also presents some tools that can be used for email intelligence gathering from social networks and providers.

Uploaded by

Kevin Mejia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

Email intelligence v 0.0.

SPEAKER: @soxoj
About me
Chaos Constructions 2021
Email intelligence

Security engineer
Antifraud systems developer
OSINT enthusiast
DEFCON7495 speaker
Overview
Chaos Constructions 2021
Email intelligence

- Why are we talking about emails


- Email intelligence workflow
- Methods and services of emails checking
- SMTP
- Email providers and social networks
- Whois, SSL certs, PGP keys
- Source code
- Email assumptions
- Marketing & reputation tools
- Conclusions
Simplified workflow by Michael Bazzell
Chaos Constructions 2021
Email intelligence

https://archive.is/hKP7d
More real workflow by me
Chaos Constructions 2021
Email intelligence
Email assumptions
[email protected] User Name
[email protected]

Search
Whois
engines

SSL Certificates
Social networks
PGP keys
Email

Provider services Reputation


Real Name validators
SMTP
checks
Leaked DBs
Marketing
tools
Source code
Simplified workflow
Chaos Constructions 2021
Email intelligence

1. Validate email
2. Search information about owner
3. Gather all the relevant information, e.g. other emails
4. Exit if there is enough information
5. Repeat for the next email
Workflow overview: SMTP checks
Chaos Constructions 2021
Email intelligence
Email assumptions
[email protected] User Name
[email protected]

Search
Whois
engines

SSL Certificates
Social networks
PGP keys
Email

Provider services Reputation


Real Name validators
SMTP
checks
Leaked DBs
Marketing
tools
Source code
SMTP checks
Chaos Constructions 2021
Email intelligence

- VRFY - verify login, returns full name

- EXPN - verify and expand aliases / mailing lists

- RCPT - add recipient and check for its existence


SMTP checks
Chaos Constructions 2021
Email intelligence

- VRFY - verify login, returns full name


old, enabled in some services only
- EXPN - verify and expand aliases / mailing lists
old, disabled or unimplemented in most services
- RCPT - add recipient and check for its existence
still working as a main part of protocol (gmail, yandex, etc.)

https://github.com/un33k/python-emailahoy
https://github.com/cytopia/smtp-user-enum
Workflow overview: provider services and social networks
Chaos Constructions 2021
Email intelligence
Email assumptions
[email protected] User Name
[email protected]

Search
Whois
engines

SSL Certificates
Social networks
PGP keys
Email

Provider services Reputation


Real Name validators
SMTP
checks
Leaked DBs
Marketing
tools
Source code
Provider services and social networks
Chaos Constructions 2021
Email intelligence

What’s the difference?


Provider services and social networks:
Chaos Constructions 2021

authorization Email intelligence

Expectation:
Provider services and social networks:
Chaos Constructions 2021

authorization Email intelligence

Reality:
Provider services and social networks:
Chaos Constructions 2021

registration Email intelligence


Provider services and social networks:
Chaos Constructions 2021

access recovery Email intelligence

https://t.me/osint_mindset/62
Provider services and social networks:
Chaos Constructions 2021

API Email intelligence

User needs first => Usable OSINT APIs

https://mail.google.com/mail/gxlu?email=<Google Email>

https://yandex.ru/collections/user/<Yandex Email Login>/

https://my.mail.ru/<Email domain>/<Email login>

https://filin.mail.ru/pic?email=<Mail.ru Email>
Provider services and social networks:
Chaos Constructions 2021

API Email intelligence

Protonmail API: PGP key + fingerprint, uid, created_at

https://github.com/pixelbubble/ProtOSINT
Provider services and social networks:
Chaos Constructions 2021

tools Email intelligence

Holehe

- > 120 social networks


- Doesn’t notify the owner of email
Provider services and social networks:
Chaos Constructions 2021

tools Email intelligence

Mailcat

- > 20 mail services, > 100 aliases


- Doesn’t notify the owner of email
Provider services and social networks:
Chaos Constructions 2021

tools Email intelligence

GHunt

- Get info by email + document,


YouTube, GAIA ID

- Extract real name, photo, YouTube


channels, reviews, other
usernames, calendar events, ...
Provider services and social networks:
Chaos Constructions 2021

tools Email intelligence

Other Google API tools

See also:
- https://tools.epieos.com/email.php
- https://t.me/UniversalSearchBot
- https://twitter.com/subfnSecurity/status/125
5741950914727942
Workflow overview: sites and privacy
Chaos Constructions 2021
Email intelligence
Email assumptions
[email protected] User Name
[email protected]

Search
Whois
engines

SSL Certificates
Social networks
PGP keys
Email

Provider services Reputation


Real Name validators
SMTP
checks
Leaked DBs
Marketing
tools
Source code
Domains, certificates, email encryption
Chaos Constructions 2021
Email intelligence

Look for official email & name pairs

Examples:
- Search by domain registrant email: https://domainbigdata.com/
- Search by certificate identity email: https://crt.sh/?a=1
- Search by PGP keys owner email: https://pgp.mit.edu/
a
Workflow overview: source code
Chaos Constructions 2021
Email intelligence
Email assumptions
[email protected] User Name
[email protected]

Search
Whois
engines

SSL Certificates
Social networks
PGP keys
Email

Provider services Reputation


Real Name validators
SMTP
checks
Leaked DBs
Marketing
tools
Source code
Source code
Chaos Constructions 2021
Email intelligence

Look for emails where other emails come across

- People change emails and nicknames, but not a commit history


- People use work and personal email alternately
- People make mistakes
at

https://telegra.ph/Gitcolombo---OSINT-v-GitHub-03-02
https://github.com/soxoj/gitcolombo
Source code
Chaos Constructions 2021
Email intelligence

Don’t forget about special indexers like grep.app and archives,


e.g. Google BigQuery GitHub Dataset

https://telegra.ph/Ishchem-po-email-v-GitHub-11-01
Workflow overview: email assumptions
Chaos Constructions 2021
Email intelligence
Email assumptions
[email protected] User Name
[email protected]

Search
Whois
engines

SSL Certificates
Social networks
PGP keys
Email

Provider services Reputation


Real Name validators
SMTP
checks
Leaked DBs
Marketing
tools
Source code
Email assumptions
Chaos Constructions 2021
Email intelligence

Suppose the target has several email addresses, work + personal at least

https://t.me/cybred/299
https://github.com/c0rv4x/logins-generator
Workflow overview: email assumptions
Chaos Constructions 2021
Email intelligence
Email assumptions
[email protected] User Name
[email protected]

Search
Whois
engines

SSL Certificates
Social networks
PGP keys
Email

Provider services Reputation


Real Name validators
SMTP
checks
Leaked DBs
Marketing
tools
Source code
Marketing tools & reputation validators
Chaos Constructions 2021
Email intelligence

Black-box validation services can be


useful for fast and bulk checking

a
- HR, sourcing
- Sales
- Audience management
- Antifraud
Workflow overview: what we did’t discuss
Chaos Constructions 2021
Email intelligence
Email assumptions
[email protected] User Name
[email protected]

Search
Whois
engines

SSL Certificates
Social networks
PGP keys
Email

Provider services Reputation


Real Name validators
SMTP
checks
Leaked DBs
Marketing
tools
Source code
Conclusions
Chaos Constructions 2021
Email intelligence

1. Methods are important, not specific tools


2. You should know internet landscape
3. Use info leaks from social services
4. Look for official email & name pairs
5. Look for emails where other emails come across
6. Don’t forget about special indexers and archives
7. Black-box validation services can be useful for fast and bulk checking

A large amount of tools:


https://github.com/HowToFind-bot/osint-tools/tree/master/Email
https://t.me/soxoj
https://t.me/osint_mindset

THANKS. ANY QUESTIONS?

You might also like